Security Incidents mailing list archives

Re: Faking authloop for illegal user suzanne from 202.144.239.147 port 101{3,2}

From: Bob Rentschler <rentscb () WES ARMY MIL>
Date: Thu, 15 Feb 2001 13:03:13 -0600

On Thu, 15 Feb 2001, Wendell Craig Baker wrote:

That is ssh faking a login so that valid usernames cannont be determined
by trying random names and seeinf different behavior for valid vs
non valid users. Basicly sshd knows its a bad user so it presents
a phoney password prompt after the login has already failed due
to the bad username.

                Bob

Does anyone have any folklore on a contact that looks like this?

Just the two contacts:

Jan 29 12:18:54 sploosh sshd[2817]: Faking authloop for illegal user suzanne
from 202.144.239.147 port 1013
Jan 29 12:19:02 sploosh sshd[2817]: Connection closed by 202.144.239.147
Jan 29 12:19:11 sploosh sshd[2818]: Faking authloop for illegal user suzanne
from 202.144.239.147 port 1012
Jan 29 12:19:15 sploosh sshd[2818]: Connection closed by 202.144.239.147


--
Wendell Craig Baker
415 699 9567
wbaker () baker com

Current thread:

Faking authloop for illegal user suzanne from 202.144.239.147 port 101{3,2} Wendell Craig Baker (Feb 15)
- Re: Faking authloop for illegal user suzanne from 202.144.239.147 port 101{3,2} Bob Rentschler (Feb 15)